VPN L2TP/ipsec win10 to Mikrotik

[Jacopo Taddei Sozzifanti]

Buongiorno,

ho un firewall MikroTik (hEX-series: 6.43.12 G3) che utilizzo come server L2TP. Ho necessità di configurare Win10 (pro, ver. 1809, build 17763.316: ultimo aggiornamento scaricato 20/02/19) in modo da realizzare VPN/L2TP-Ipsec verso il MikroTik.

Sul firewall ho impostato le varie voci (firewall/ipsec/ppp/etc.etc.) così come su Win10.

Con le vecchie versioni software/firmware di MikroTik e precedenti aggiornamenti win10 riuscivo attivare il tunnel ... ora non più.

il Client produce sempre errore: << Tentativo di connessione L2TP non riuscito. Il livello di sicurezza ha rilevato un errore di elaborazione durante le negoziazioni iniziali con il computer remoto. >>

Suggerimenti ?

[Livio Orsini]

Sei un nuovo utente che ha accettato il regolamento senza leggerlo con attenzione; se tu lo avessi letto attentamente sapresti che è vietato aprire più discussioni sul medesimo tema.

 

Ho cancellato l'altra discussione; sei invitato a proseguire solo con questa.

[Andrea Annoni]

Se non pubblichi la conf la vedo dura esserti d'aiuto.

Tra l'altro parli di regole di firewall che però potrebbero anche non servire dato che è lei stessa un router.......

[abbio90]

Non sarebbe male anche provare a connettere il tunnel usando l'ip interno del server VPN mentre sei connesso in lan..

Inoltre quando tenti la connessione da remoto con ip pubblico sarebbe bello dare un occhio ai log del mikrotik...per capire se il tunnel cerca di instaurare una connessione o non ci arriva nemmeno al mikrotik

[Jacopo Taddei Sozzifanti]

il 25/2/2019 at 22:25 , abbio90 scrisse:

Non sarebbe male anche provare a connettere il tunnel usando l'ip interno del server VPN mentre sei connesso in lan..

Inoltre quando tenti la connessione da remoto con ip pubblico sarebbe bello dare un occhio ai log del mikrotik...per capire se il tunnel cerca di instaurare una connessione o non ci arriva nemmeno al mikrotik

 

[ivsec@Rou77-2] > export  # apr/24/2019 09:41:44 by RouterOS 6.44.2 # software id = E9CV-XIYZ # # model = RouterBOARD 750G r3 # serial number = 6F3807852F3C /interface bridge add admin-mac=64:D1:54:07:E2:A2 auto-mac=no comment="created from master port" name=bridge1 protocol-mode=none /interface ethernet set [ find default-name=ether1 ] name=ether1-wan speed=100Mbps set [ find default-name=ether2 ] name=ether2-lan speed=100Mbps set [ find default-name=ether3 ] name=ether3-lan speed=100Mbps set [ find default-name=ether4 ] name=ether4-lan speed=100Mbps set [ find default-name=ether5 ] name=ether5-lan speed=100Mbps /interface list add exclude=dynamic name=discover add name=mactel add name=mac-winbox /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /ip hotspot profile set [ find default=yes ] html-directory=flash/hotspot /ip ipsec profile add dh-group=modp768 enc-algorithm=des name=profile_1 nat-traversal=no add dh-group=modp1024 dpd-interval=disable-dpd name=profile_2 add dh-group=modp1024 enc-algorithm=aes-128 name=profile_3 nat-traversal=no add dh-group=modp1024 dpd-interval=disable-dpd enc-algorithm=aes-256 lifetime=8h name=profile_4 nat-traversal=no add dh-group=modp1024 enc-algorithm=aes-256,aes-192,aes-128 name=profile_5 add dh-group=modp1024 name=profile_6 add dh-group=modp2048 enc-algorithm=aes-256,3des name=profile_7 /ip ipsec peer add address=212.210.16.58/32 comment="Ike Iv Sede" local-address=77.238.25.6 name=peer1 profile=profile_1 add address=195.120.197.158/32 comment="Ike Iv Sede ADSL" disabled=yes local-address=77.238.25.6 name=peer10 profile=profile_6 add address=195.120.197.158/32 comment="Ike Prova" disabled=yes name=peer9 profile=profile_5 add address=156.54.148.245/32 comment="Ike IvNuvola" local-address=77.238.25.6 name=peer6 profile=profile_4 add address=151.40.12.140/32 comment="Vpn jacopo (casa)" local-address=77.238.25.6 name=peer11 profile=profile_7 add address=77.238.25.28/32 comment=Cliente-Fi local-address=77.238.25.6 name=peer5 profile=profile_3 add comment=Nomadiche local-address=192.168.93.1 name=peer3 passive=yes profile=profile_2 /ip ipsec proposal set [ find default=yes ] lifetime=1h add auth-algorithms=md5 enc-algorithms=aes-256-cbc,3des name=proposalJacTS pfs-group=modp2048 add enc-algorithms=aes-128-cbc,3des name=isofom pfs-group=none /ip pool add name=default-dhcp ranges=192.168.93.2-192.168.93.254 /ip dhcp-server add address-pool=default-dhcp disabled=no interface=bridge1 name=defconf /ppp profile add comment="Profilo Nomadi" name=profiloNomadi remote-address=default-dhcp use-encryption=yes use-mpls=no use-upnp=no set *FFFFFFFE remote-address=default-dhcp use-mpls=no use-upnp=no /snmp community set [ find default=yes ] addresses=0.0.0.0/0 /interface bridge port add bridge=bridge1 interface=ether3-lan add bridge=bridge1 interface=ether4-lan add bridge=bridge1 interface=ether5-lan add bridge=bridge1 interface=ether2-lan /ip neighbor discovery-settings set discover-interface-list=discover /ip settings set secure-redirects=no send-redirects=no /interface l2tp-server server set enabled=yes ipsec-secret=solo04noi05zzz use-ipsec=yes /interface list member add interface=bridge1 list=discover add interface=ether3-lan list=discover add interface=ether4-lan list=discover add interface=ether5-lan list=discover add interface=bridge1 list=mactel add interface=bridge1 list=mac-winbox /interface ovpn-server server set certificate=Server.pem_0 cipher=blowfish128,aes128,aes192,aes256 enabled=yes require-client-certificate=yes /ip address add address=192.168.222.3/24 comment=Lan interface=bridge1 network=192.168.222.0 add address=77.238.25.6/29 comment=Wan interface=ether1-wan network=77.238.25.0 /ip dhcp-client add comment=defconf dhcp-options=hostname,clientid interface=ether1-wan /ip dhcp-server network add address=192.168.222.0/24 comment=defconf gateway=192.168.222.2 netmask=24 /ip dns set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4 /ip dns static add address=192.168.222.2 name=router /ip firewall address-list add address=195.120.197.156/30 comment="Adsl Iv" list=Iv add address=212.210.16.56/30 comment="Fibra1 Iv" list=Iv add address=194.243.113.208/30 comment="Fibra2 Iv" list=Iv add address=192.168.111.0/24 comment="Vpn Iv" disabled=yes list=Vpn add address=192.168.222.0/24 comment=Lan list=Lan add address=192.100.100.0/24 comment="Gasmess prova" disabled=yes list=Vpn add address=192.168.230.0/24 comment="Vpn Clente-Fi" list=Vpn add address=172.16.0.0 comment=IvNuvola list=Vpn add address=213.188.207.133 list=Nextos add address=213.188.207.190 list=Nextos add address=151.14.38.93 list=Nextos add address=192.168.111.0/24 comment="Lan Iv" list=Iv /ip firewall filter add action=accept chain=input comment="Established e Related" connection-state=established,related add action=accept chain=input comment="Accetta ICMP" protocol=icmp add action=accept chain=input comment=Ike dst-port=500 in-interface=ether1-wan protocol=udp add action=accept chain=input comment=NatT dst-port=4500 in-interface=ether1-wan protocol=udp add action=accept chain=input comment=L2tp dst-port=1701 in-interface=ether1-wan protocol=udp add action=accept chain=input comment="Http porta 8080 su Rou77-2" dst-port=8080 in-interface=ether1-wan protocol=tcp add action=accept chain=input comment="Http porta 8080 su Rou77-2" dst-port=8080 in-interface=!ether1-wan protocol=tcp  add action=accept chain=input comment="Https porta 1443 su Rou77-2" dst-port=1443 in-interface=ether1-wan protocol=tcp src-address-list=Iv add action=accept chain=input comment="Https porta 1443 su Rou77-2" dst-port=1443 in-interface=!ether1-wan protocol=tcp add action=accept chain=input comment=OpenVpn dst-port=1194 in-interface=ether1-wan protocol=tcp add action=accept chain=input comment="Accetta Esp" protocol=ipsec-esp add action=drop chain=input comment="Drop Tutto" add action=accept chain=forward comment="Established e Related" connection-state=established,related add action=accept chain=forward comment="Vpn in" ipsec-policy=in,ipsec add action=accept chain=forward comment="Vpn out" ipsec-policy=out,ipsec add action=accept chain=forward comment="Vpn e Routes" disabled=yes src-address=192.0.0.0/8 add action=accept chain=forward comment="Vpn Iv Nuvola" disabled=yes src-address=172.16.0.0/24 add action=accept chain=forward comment=Pinhole connection-nat-state=dstnat add action=accept chain=forward connection-state=new in-interface=bridge1 out-interface=ether1-wan add action=drop chain=forward comment="Drop tutto" /ip firewall mangle add action=change-mss chain=forward disabled=yes new-mss=1300 out-interface=ether1-wan passthrough=no protocol=tcp tcp-flags=syn tcp-mss=1301-65535 /ip firewall nat add action=accept chain=srcnat comment="Vpn Iv sede" dst-address=192.168.111.0/24 src-address=192.168.222.0/24 add action=accept chain=srcnat comment="Vpn Clente-Fi" dst-address=192.168.230.0/24 src-address=192.168.222.0/24 add action=accept chain=srcnat comment="Vpn IvNUvola" dst-address=172.16.0.0/24 src-address=192.168.222.0/24 add action=accept chain=srcnat comment="Vpn Prova" dst-address=192.168.88.0/24 src-address=192.168.222.0/24 add action=accept chain=srcnat comment="Vpn Jacopo (casa)" dst-address=172.16.79.0/24 src-address=192.168.222.0/24 add action=masquerade chain=srcnat comment="Masquerade Out" out-interface=ether1-wan add action=masquerade chain=srcnat comment=Nomadiche out-interface=all-ppp src-address=192.168.93.0/24 add action=dst-nat chain=dstnat disabled=yes dst-address=77.238.25.6 dst-port=22 in-interface=ether1-wan protocol=tcp to-addresses=192.168.222.115 add action=dst-nat chain=dstnat comment="Ssh su Lombarda da Orobica (Stefania Frigerio e Cesare Tonelli)" dst-address=77.238.25.6 dst-port=22 protocol=tcp \ src-address=62.97.59.200/29 to-addresses=192.168.222.119 add action=dst-nat chain=dstnat dst-address=77.238.25.6 dst-port=22 protocol=tcp src-address=194.243.113.208/30 to-addresses=192.168.222.119 add action=dst-nat chain=dstnat comment="Prova Samba da Google per Luca Xp" dst-address=77.238.25.6 dst-port=445 in-interface=ether1-wan protocol=tcp \ src-address=57.174.236.34 to-addresses=192.168.222.117 to-ports=445 add action=dst-nat chain=dstnat comment=Nextos dst-address=77.238.25.6 dst-port=2203 in-interface=ether1-wan protocol=tcp src-address-list=Nextos to-addresses=\ 192.168.222.130 to-ports=22 /ip firewall service-port set ftp disabled=yes set tftp disabled=yes set irc disabled=yes set h323 disabled=yes set sip disabled=yes set pptp disabled=yes set udplite disabled=yes set dccp disabled=yes set sctp disabled=yes /ip ipsec identity add peer=peer1 secret=solo04noi05zzz add peer=peer3 secret=solo04noi05zzz add peer=peer5 secret="La@07@cosa'" add peer=peer6 secret=IvNuvola04NuvolaIvIvNuvola04NuvolaIv add peer=peer9 secret=TesttestTest add peer=peer10 secret=pippo123 add peer=peer11 secret=iV9ac049AcIv /ip ipsec policy set 0 disabled=yes add comment="Vpn Iv Sede" dst-address=192.168.111.0/24 proposal=proposalJacTS sa-dst-address=212.210.16.58 sa-src-address=77.238.25.6 src-address=\ 192.168.222.0/24 tunnel=yes add comment=Cliente-Fi dst-address=192.168.230.0/24 sa-dst-address=77.238.25.28 sa-src-address=77.238.25.6 src-address=192.168.222.0/24 tunnel=yes add comment="Vpn IvNuvola" dst-address=172.16.0.0/24 sa-dst-address=156.54.148.245 sa-src-address=77.238.25.6 src-address=192.168.222.0/24 tunnel=yes add comment="Vpn Prova" dst-address=192.168.88.0/24 sa-dst-address=195.120.197.158 sa-src-address=77.238.25.6 src-address=192.168.222.0/24 tunnel=yes add comment="Vpn Iv Sede ADSL" disabled=yes dst-address=192.168.111.0/24 sa-dst-address=195.120.197.158 sa-src-address=77.238.25.6 src-address=192.168.222.0/24 \ tunnel=yes add comment="Vpn Jacopo (casa)" disabled=yes dst-address=172.16.79.0/24 proposal=proposalJacTS sa-dst-address=151.40.12.140 sa-src-address=77.238.25.4 \ src-address=192.168.222.0/24 tunnel=yes /ip route add distance=1 gateway=77.238.25.1 /ip service set telnet disabled=yes set ftp disabled=yes set www port=8080 set ssh disabled=yes set www-ssl certificate=certRou77-2 disabled=no port=1443 set api disabled=yes set winbox disabled=yes set api-ssl disabled=yes /ppp secret add local-address=192.168.93.1 name=massimo password=sint2727 profile=default-encryption remote-address=192.168.93.2 add local-address=192.168.93.1 name=franco password=ppippo123 profile=default-encryption remote-address=192.168.93.3 service=l2tp  add local-address=192.168.93.1 name=sandro password=5ant1ne77! profile=default-encryption remote-address=192.168.93.4 service=l2tp add local-address=192.168.93.1 name=francesca password=lo04bri07glio profile=default-encryption remote-address=192.168.93.5 service=l2tp add local-address=192.168.93.1 name=elisa password=!TEW84Ky profile=default-encryption remote-address=192.168.93.6 service=l2tp add local-address=192.168.93.1 name=isofom01 password="\"1sof0m!\"" profile=default-encryption remote-address=192.168.93.7 service=l2tp add local-address=192.168.93.1 name=isofom02 password="\"1sof0m\$\"" profile=default-encryption remote-address=192.168.93.8 service=l2tp add name=isofom03 password=ppippo123 profile=default-encryption remote-address=192.168.93.9 service=l2tp add local-address=192.168.93.1 name=isofom04 password="\"1sof0m4\$\"" profile=default-encryption remote-address=192.168.93.10 service=l2tp add local-address=192.168.93.1 name=alice password=VH5bJkz%9 profile=default-encryption remote-address=192.168.93.11 /system clock set time-zone-name=Europe/Rome /system identity set name=Rou77-2 /system logging set 0 disabled=yes set 1 disabled=yes set 2 disabled=yes set 3 disabled=yes add disabled=yes prefix=FIRE topics=firewall add disabled=yes topics=ovpn add prefix=IPSEC topics=ipsec add prefix=L2TP topics=l2tp /system resource irq rps set ether1-wan disabled=no set ether3-lan disabled=no set ether4-lan disabled=no set ether5-lan disabled=no /tool mac-server set allowed-interface-list=mactel /tool mac-server mac-winbox set allowed-interface-list=mac-winbox /tool sniffer set filter-interface=ether1-wan filter-ip-address=109.168.38.238/32 filter-ip-protocol=tcp filter-operator-between-entries=and [ivsec@Rou77-2] >